Difference between revisions of "Block SMTP Authentication Attacks With Fail2Ban"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
m
Line 3: Line 3:
 
Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts.  It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it.  It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.
 
Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts.  It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it.  It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.
  
First, you need to install Fail2Ban.  For Redhat/Fedora/CentOS use yum.
+
==== obtain and install ====
 +
 
 +
First, you need to install Fail2Ban.  For Redhat/Fedora use yum.
 
  yum install fail2ban
 
  yum install fail2ban
 +
 +
CentOS:  fail2ban is not available from CentOS.  It will have to be manually downloaded.
 +
 +
ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org
 +
 +
==== configure ====
  
 
Now modify the configuration file
 
Now modify the configuration file

Revision as of 13:22, 7 February 2014

Blocking SMTP authentication brute force attacks using Fail2Ban - Fail2Ban can be used to block brute force attacks against your mail server. The attackers are blocked by their source IP using iptables. Although it doesn't block SMTP attacks by default, Fail2Ban can be configured to do so.

Fail2ban works by scanning log files to detect attacks such as log entries indicating multiple failed login attempts. It scans though the log, identifies an offending IP address, then creates an on-the-fly firewall rule to block it. It is typically configured to use iptables to accomplish this, however, it is not restricted to any one firwall, or using just firewall rules.

obtain and install

First, you need to install Fail2Ban. For Redhat/Fedora use yum.

yum install fail2ban

CentOS: fail2ban is not available from CentOS. It will have to be manually downloaded.

ALL LINUX DISTRIBUTIONS - Fail2ban is written in Python, thus no compilation is required. You can even run Fail2ban without installing it. It can always be obtained directly from http://www.fail2ban.org

configure

Now modify the configuration file

vi /etc/fail2ban/fail2ban.conf

Set the path to the log file.

Configuration Parameters:

  • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
  • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).
  • maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.
  • filter: Refers to the appropriate filter file in "/etc/fail2ban/filter.d".
  • logpath: The log file that fail2ban checks for failed login attempts.